Solved: ASA 5510 intervlan routing - Page 2

Nay Myo Tun · ‎11-17-2010

Hi,

Could you please help to advise? I have issue on my project . I have already setup the ASA 5510 and configured eth0 for outside ( security-level 0) , eth1 for DMZ (security-level 50 ) and eth3 for internal network ( security-level 100 ). I want to route / ftp to ping / ftp from each VLAN to another .

I have configured the necessary ACL to allow the traffic ( DMZ <=> Outside ) interfaces .

Using packet tracer from Outside to DMZ , the packet is allowed. But I can't ping / ftp from one interface to another . Pls. see the attached screen shot.

But according to what i ve read from this forum, " If you are trying inter-vlan routing, then make sure that both sub-interfaces have a nameif and security level set to same value."

Does it apply to DMZ , internal and external interfaces with diff security level ? Really appreciate your advise since I am now confused.

Mohamed Sobair · ‎12-02-2010

Remove the following commands:

object network DMZ2_TO_INSIDE
host 172.25.154.107

object network DMZ2_TO_INSIDE
nat (INSIDE,DMZ2) static 172.25.130.250

Add the following commands:

object network DMZ2-TO-INSIDE
subnet 172.25.104.0 255.255.255.0

object network DMZ2-TO-INSUIDE
nat (INSIDE,DMZ2) static 172.25.104.0

Access-group dmz in interface DMZ2

access-list dmz permit ip 172.25.130.0 255.255.255.0 172.25.104.0 255.255.255.0

clear xlate , and check the access from the DMZ to the inside.

Regards,

Mohamed

Nay Myo Tun · ‎12-02-2010

Thanks, Mohamed. I will do it the first thing in the morning and will update accordingly.

Nay Myo Tun · ‎12-14-2010

Hi Mohamed,

I have managed to configure all outbound direction ( INSIDE--> DMZ1& 2 , INSIDE --> OUTSIDE , DMZ1,2 ---> OUTSIDE.

But still not able to access inbound direction ( OUT --> DMZ 1,2 , DMZ1,2 ---> INSIDE ). Kindly advise how to allow traffic from DMZ --> INSIDE, OUTSIDE ---> DMZ. I need to be able to ping / ftp inbound direction from lower to higher security level. Kindly take note that my IOS version is ASA Version 8.3(1).

For outbound direction, these dynamic NAT config seems to be OK since I can access ssh / ftp outbound direction ( higher to lower security interface)

interface Ethernet0/0
nameif OUTSIDE
security-level 0
ip address 172.25152.248 255.255.255.0
!
interface Ethernet0/1
nameif DMZ1
security-level 50
ip address 172.25.154.249 255.255.255.0
!
interface Ethernet0/2
nameif DMZ2
security-level 50
ip address 172.25.156.249 255.255.255.0
!
interface Ethernet0/3
nameif INSIDE
security-level 100
ip address 172.25.130.248 255.255.255.0

Dynamic NATs ( successful for outbound access )

( Outbound from inside to DMZ2 )

object network INSIDE_dynamic_DMZ2

subnet 172.25.130.0 255.255.255.0

nat (INSIDE,DMZ2) dynamic 172.25154.250

( Outbound from DMZ2 to outside )

object network DMZ2_dynamic_OUTSIDE

host 172.25.154.107

nat (DMZ2,OUTSIDE) dynamic 172.25152.251

( Outbound from inside to outside )

object network INSIDE_dynamic_OUTSIDE

subnet 172.25.130.0 255.255.255.0

nat (INSIDE,OUTSIDE) dynamic 172.25152.250

( Outbound from inside to DMZ1 )

object network INSIDE_dynamic_DMZ1

subnet 172.25.130.0 255.255.255.0

nat (INSIDE,DMZ1) dynamic 172.25.156.250

STATIC NATs ( Not successful for inbound access )

( Inbound from outside to DMZ1 )

object network OUTSIDE-static_DMZ1

subnet 172.25.156.0 255.255.255.0

nat (DMZ1,OUTSIDE) static 172.25.152.252

( Inbound from DMZ2 to INSIDE )

object network DMZ2-static-INSIDE

subnet 172.25.154.0 255.255.255.0

nat (INSIDE,DMZ2) static 172.25.130.253

Errror Message I got when I ssh "172.25.130.101" ( inside server ) from DMZ1 server 172.25154.107 .

4

Dec 07 2010

17:40:53

106023

172.25.154.107

60815

172.25.154.101

22

Deny tcp src DMZ2:172.25.154.107/60815 dst INSIDE:172.25.154.101/22 by access-group "DMZ2_INSIDE" [0x0, 0x0]

( Inbound from outside to DMZ2 )

object network OUTSIDE-static-DMZ2

subnet 172.25.154.0 255.255.255.0

nat (DMZ2, OUTSIDE) static 172.25.152.253

( Error message when ssh from the external server which is located external interface of Router to DMZ2 server 172.25154.107 : )

#ssh 172.25.154.107
ssh: connect to host 172.25.154.107 port 22: No route to host

( Note: routing has been added in the external server and can ping to ext interface of FW )

Access Lists

access-list OUTSIDE_IN extended permit tcp any host 172.25154.107 object-group PORT_GROUP

access-list INSIDE_IN extended permit ip 172.25.130.0 255.255.255.0 any

access-list OUTSIDE_DMZ1 extended permit ip 172.25.156.0 255.255.255.0 172.25152.0 255.255.255.0

access-list DMZ2_INSIDE extended permit ip 172.25130.0 255.255.255.0 172.25154.0 255.255.255.0

access-list DMZ1_INSIDE extended permit ip 172.25130.0 255.255.255.0 172.25150.0 255.255.255.0

access-list OUTSIDE_DMZ2 extended permit ip 172.25.154.0 255.255.255.0 172.25152.0 255.255.255.0

access-group OUTSIDE_DMZ1 in interface OUTSIDE

access-group DMZ2_INSIDE in interface DMZ2

access-group DMZ1_INSIDE in interface DMZ1

Regards,